Well, let's say I can provide you with some pointers.
That doesn't absolve you of the responsibility to study the documentation
thoroughly.

Thank you nonetheless. I was starting to get the impression that doing
anything other than telling people to read the documentation was verboten.
;) I'm not looking to just blindly type in config settings. I really want to
understand what it is I should be doing and then do it properly.

What are all these milters doing ?
Do you *know* ?
How can you use the same service for both smtp and non-smtp milters ?
Presumably, they don't take the same input format.

Those lines are in my main.cf for OpenDKIM (opendkim.org). I don't reject
incoming mail (yet) if it fails DKIM authentication, but I do sign all my
personal outgoing mail sent from this server. I'm not sure how to answer
"How can you use the same service for both smtp and non-smtp milters ?" but
I'll look into confirming whether that's set up properly.

Still missing a good RBL check; check out zen (www.spamhaus.org/zen)

I've added "reject_rbl_client zen.spamhaus.org" to my
smtpd_recipient_restrictions as the second-to-last value, right before
"permit."

No, since these are virtual aliases, postfix will reject any *virtual*
recipients that don't appear here. It makes no judgement on the RHS of the
aliases.

Yes. I want Postfix to reject any virtual recipients that don't appear here.
I was trying to be witty by saying they aren't "local" recipients (with
local in quotes) since I'm forwarding their mail somewhere else. But yes, I
understand that Postfix will reject if their address doesn't appear in this
file.